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We present formalized proofs verifying that the first-order unification algorithm defined over lists of 
satisfiable constraints generates a most general unifier (MGU), which also happens to be idempotent. 
All of our proofs have been formalized in the Coq theorem prover Our proofs show that finite 
maps produced by the unification algorithm provide a model of the axioms characterizing idempotent 
MGUs of lists of constraints. The axioms that serve as the basis for our verification are derived from 
a standard set by extending them to lists of constraints. For us, constraints are equalities between 
terms in the language of simple types. Substitutions are formally modeled as finite maps using 
the Coq library Coq.FSets.FMapInterface. Coq's method of functional induction is the main proof 
technique used in proving many of the axioms. 

1 Introduction 

We present formalized proofs verifying that the first-order unification algorithm defined over lists of 
satisfiable constraints generates a most general unifier (MGU), which also happens to be idempotent. All 
of our proofs have been formalized in the Coq theorem prover 161 . Our proofs show that substitutions 
produced by the unification algorithm provide a model of the axioms characterizing the idempotent 
MGUs of lists of constraints. 

The formalization and verification presented here was motivated by our work on to verifying Wand's 
constraint based type inference algorithm 1261 (and to verify our extension of Wand's algorithm to include 
polymorphic let [15]). In the recent literature on machine certified proof of correctness of type inference 
algorithms [ 13i|20j|25 1, most general unifiers are characterized by four axioms. 

Recall that T and t' (in some language) are unifiable if there exists a substitution p mapping variables 
to terms in the language such that p(t) = p(t'). In such a case, p is called a unifier. A unifier p is a 
most general unifier if for any other unifier p" there is a substitution p' such that pop' = p". 

We consider the MGU axioms given by Nipkow and Urban f25\. Let p,p',p" denote substitutions i.e. 
functions mapping type variables to terms, constraints are of the form z = z' where z and z' are simple 
types and the symbol FTV is overloaded to denote the free type variables of substitutions, constraints and 
types and the notation. Composition of substitutionals denoted pop'. With these notational conventions 
in mind, the MGU axioms are presented as follows: 

(0 mgwp (Ti=T2)^P(Ti)=p(T2) 

(//) mgu p (ti = T2) A p'(ti) = p'(t2) 3p" .p' ^ p o p" 
(Hi) mgu p (Ti ^ T2) ^ FTV(p) C FTV(ti = T2) 
(iv) p(ti) = p(t2) ^ 3p'. mgu p' (ti = T2) 



The reader should note that in this paper, composition of functions is characterized by the equation (p o p')(x) = p'(p(x)). 



Maribel Fernandez (Ed.): 24th International Workshop on 
Unification (UNIF20 1 0) . 

EPTCS 42, 2010, pp. 24-[38] doi|l0.4204/EPTCS.42.3 



S. Kothari & J. Caldwell 



25 



These axioms, modeling MGUs, have proved useful in verifying substitution-based type inference 
algorithms where the constraints are solved as they are generated, one at a time. In constraint-based type 
inference algorithms like Wand's, the constraints are generated before they are solved. Thus, for use in 
the constraint based setting, we lift the MGU axioms to lists of constraints. To do so, we restate the 
standard axioms to apply to constraint lists, add two new axioms which characterize MGUs of lists of 
constraints; one axiom for the empty list and another for lists constructed by appends. Also, reasoning 
about Wand's type inference algorithm requires the MGUs be idempotent, so we add another axiom 
for idempotency. Idempotent MGUs have the nice property that their domain and range elements are 
disjoint. 

We proceed by characterizing idempotent MGUs for lists of equational constraints by presenting 
seven axioms. Then we show that the first order unification algorithm models those axioms. The the- 
orems and supporting lemmas mentioned in this paper have been formalized and verified in Coq Il23l - 
a theorem prover based on calculus of inductive constructions Iil2il . In the formalization, we represent 
substitutions using Coq's finite map library [IJ. 

To start, we generalize the standard MGU axioms to constraint lists. In addition to the notations in- 
troduced above, if C is a list of constraints, p |= C (read p satisfies C) means that p unifies all constrains 
in C. Let C denote a constraint list, then the MGU axioms (for a list of constraints) are: 

(/) mgu p C =^ p 1= C 

(//) mgu pC A p' \=C^ 3p". p' =po p" 

{Hi) mgupC FTV (p) C FTV (C) 

(iv) p 1= C =^3p'.mgup'C 



To the axioms just mentioned we add three more axioms that characterize idempotent MGUs for a list of 
equational constraints. List append is denoted by ++. 

(v) mgu p C =^ pop = p 
(v/) mgu p [ ] =^ p = W 

{vii) mgu p' C A mgu p" {p'{C")) A mgu p {C ++ C") ^ p = p' o p" 

These additional axioms are mentioned elsewhere in the unification literature, namely |[T4l [TTI. The 
statement of axiom vii is convenient in proofs where constraint lists are constructed by combining lists 
of constraints rather than adding them one at a time. A lemma characterizing lists constructed by conses 
is easily proved from this axiom. 

Formalizing substitutions as finite maps in Coq, we show that first-order unification (unify) is a model 
of the MGU axioms. To distinguish the formal representation of substitutions as finite maps from math- 
ematical functions, we denote finite maps by a, a' , a\, etc. Mathematical functions enjoy extensional 
equality while finite maps do not (more about this later). We write p f« p' to denote extensional equality 
for finite maps; i.e. that under application they agree pointwise on all inputs. With these considerations 
in mind, we have proved the following in Coq: 
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(/) unify(C) = a ^ a |=C 

(//) (unify(C) = a A a' |= C) ^ 3a". a' ^ao a" 

{Hi) unify(C) = a ^ FTV(a) C FTV(C) 

(/v) a 1= C ^ 3a'. unify(C) = a' 

(v) unify(C) = a =^ aoa ^ a 

(vi) unify([ ]) = a =^ a = Oe 

(vii) (unify(C') = a' A unify(a'(C")) = o" A unify(C' ++ C") = a) ^ a^a'oa" 

The rest of this paper is organized as follows: Section [2] introduces a number of formal definitions 
and terminologies needed for this paper. It also includes more discussion about substitutions represented 
as finite functions. Section [3] describes the formalization of a first-order unification algorithm and the 
termination argument. Section |4] describes the functional induction tactic and the theorems and lemmas 
proved in the verification that unify models the idempotent MGU axioms. Finally, Section [5] mentions 
related work and also summarizes our current work. 



2 Types and Substitutions 

Unification is implemented here over a language of simple types given by the following grammar: 
T ::= a I Ti ^ T2 

where a is a type variable, and Ti , T2 G T are type terms. 
Thus, a type is either a type variable or a function type. We define the list of freJ^variables of a type 
(FTV) as: 

FTV(a) =^ [a] 

FTV(t ^ t') ''^ FTV(t) ++ FTV(t') 

We also have equational constraints of the form T = t', where T, t' are types. The list of free variables 
of a constraint list, also denoted by FTV, is given as: 
FTV([]) [] 

FTV((ti = T2) :: C) FTV(ti) ++ FTV(t2) ++ FTV(C) 

Substitutions are formally represented as finite maps where the domain of the map is the collection 
of type variables and the codomain is the simple types. Application of a finite map to a type is defined 
as: 

def- j T if {a,r) G a 
1^ a otherwise 

def 

a(Ti^T2) = a(Ti)^a(T2) 
Application of a finite map to a constraint is defined similarly as: 

(7(Ti = T2) '= C7(Ti) = C7(T2) 

Since Coq's finite maps ai^e not extensional, we define extensionality (ss) as a relation on finite maps as 
follows: 

assa' ya.a{a) ^ a'{a) 

Moreover, the equality can be extended to all types as given by the following lemma: 

Lemma 1. Va. a(a) = a' (a) <^ Vt. a{z) = o'iz) 



a a 



^Strictly speaking, since we have no binding operators in the language of simple types the modifier "free" is unnecessary, 
we include it here anticipating a more complex language of types in future developments. 
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2.1 Implementing Substitutions as Finite Maps 

The representation of substitutions and the libraries available to a user plays a very important role in the 
formalization. In the verification literature, substitutions have been represented as functions ll25l . as lists 
of pairs fT3\, and as sets of pairs 121). We represent substitutions as finite functions (a.k.a finite maps 
in Coq). We use the Coq finite map library Coq.FSets.FMapInterface |1], which provides an axiomatic 
presentation of finite maps and a number of supporting implementations. However, it does not provide 
an induction principle for finite maps, and forward reasoning is often needed to use the library. We found 
we did not need induction to reason on finite maps, though there are natural induction principles we 
might have proved ifTTl fTB l. The fact that the library does not provide for extensional equality of finite 
maps means that, for example, the following simple lemma does not hold: 

Lemma 2. an o cje = cje 

But the following is easily proved: 
Lemma3. 'i'c.{a^oo^){'c) = o^{i) 

To give a feel of the Coq's finite map library, we define free type variables of a substitution, and 
the substitution composition operator using the finite map library functions. In the definitions below, we 
follow Coq's namespace conventions; every library function has a qualifier which denotes the library it 
belongs to. For example, M.map is a function from the finite maps library (M) which maps a function 
over the range elements of a finite map, whereas List. map is a function from the list library. 
First, we define the list of free type variables of a substitution: 

def 

FTV(a) = dom_subst(a) ++ range_subst(a) 
To consider the domain and range elements of a finite function (and this is the key feature of the 
function being finite), we use the finite map library function M. elements. M.elements(a) returns a 
list of pairs (key- value pairs) corresponding to the finite map a. The domain and range elements of a 
substitution are defined as: 

def 

dom_subst(a) = List.map (A?.fst (?)) (M.elements( a)) 

def 

range_subst(a) = List.flat_map (Af.FTV (snd {t))) (M.elements(a)) 
The function List.flat_map is also known as mapcan in LISP and concatMap in Haskell. Next, we 
define a few utility functions to help us define the composition operator o. Applying a substitution o' to 
a substitution a means applying o' to the range elements of a. 

o'{o) = M.map(AT.a'(T))a 
The function subst.diff is used to define composition of finite maps, and is defined as: 

subst_diff a a' M.map2 choose_subst a a' 

In this definition, M.map2 is defined in Coq library as the function that takes two maps a and a', 
and creates a map whose binding belongs to either a or a' based on the function choose_subst, which 
determines the presence and value for a key (absence of a value is denoted by None). The values in the 
first map are preferred over the values in the second map for a particular key. The function choose_subst 
is defined as: 

def 

choose_subst (SomeTi) (SomeT2) = Some Ti 

def 

choose_subst (SomeTi) None = Some Ti 

def 

choose_subst None (SomeT2) = SomeT2 

def 

choose_subst None None = None 

Finally, the composition of finite maps (o) is defined as: 

ooa' =^ subst_diff a'(a) a' 
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Substitution composition application to a type has the following property: 
Theorem 1. Va. Va'. VT.(ao a')(T) = a'(a(T)) 

Proof. By induction on the type T followed by case analysis on the binding's occurrence in the composed 
substitution and in the individual substitutions. □ 

Interestingly, the base case (when T is a type variable) is more difficult than the inductive case (when T is 
a compound type). Incidentally, the same theorem has been formalized in Coq |fT3l. where substitutions 
are represented as lists of pairs, but the proof there required 600 proof steps. We proved Theorem [T] in 
about 100 proof steps. 

3 First-Order Unification 



We use the following standard presentation of the first-order unification algorithm: 



unify [] 




def 


Id 






unify ((a = j3) : 


::C) 


def 


if a = j3 th 


en 


unify(C) else {a^ j3}o unify ({a j3}(C)) 


unify ((a = t) : 


:C) 


def 


if a occurs 


in 


T then Fail else {a i-> t} unify ({a ^ t}(C)) 


unify((T = a) :: 


:C) 


def 


if a occurs 


in 


T then Fail else {a i-> t} unify ({a ^ t}(C)) 


unify ((ti T2 


= T3 ^ T4) :: C) 


def 


unify((Ti = 


T3 


) :: (T2 = T4) :: C) 



This specification is written in a functional style. It would also have been possible to formalize unify in a 
relational style. A discussion of the trade-offs between these two styles of formalization Coq can be found 
in ||5l. Since Coq's type theory requires functions to be total, the functional style carries an overhead; we 
need a value to represent failure. We used Coq's option type to make first-order unification total. The 
option type {maybe in Haskell) is defined in Coq as follows: 

Inductive option (A : Set) : Set := Some (_ : A) | None. 
The constructor None indicates failure and the term Some(a) indicates success (with a as the result). In 
the presentation here, we omit the None and Some constructors. In virtually all theorems proved here, 
the None case is trivial. 

The presentation of the unification algorithm given here is general recursive, i.e., the recursive call 
is not necessarily on a structurally smaller argument. Various papers have discussed the non-structural 
recursion used in the standard first-order unification algorithm. McBride has given a structurally recur- 
sive unification algorithm [19]. Bove [9| gives an algorithm similar to ours and proves termination in 
Alf We believe our presentation of the algorithm is more perspicuous than Bove's although a similar 
termination argument works here. To allow Coq to accept our definition of unification, we have to either 
give a measure that shows that recursive argument is smaller or give a well-founded ordering relation. 
We chose the latter. We use the standard lexicographic ordering on the triple: <| Cpvc !> I |, | C |>, 
where 

I Cfvc I is the number of unique free variables in a constraint list; 

I I is the total number of arrows in the constraint list; 
I C I is the length of the constraint list. 

Our triple is similar to the triple proposed by others ll9j|4l[3l, but a little simpler. 

Table [T] shows how these components vary depending on the constraint at the head of the constraint 
list. The table closely follows the reasoning we used to satisfy the proof obligations generated by the 
above specification |[T6l . We use -, f, i to denote whether the component is unchanged, increased or 
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Original call 


Recursive call 


Conditions, if any 


1 Cfvc I 




|C| 


{a = a)::C 


C 


a e FVC(C) 






; 


(a = a)::C 


C 


a ^ FVC(C) 


; 


_ 


; 


(a = j3)::C 


{a^l5}{C) 




; 


_ 


; 


(a = t) :: C 


{a ^ t}(C) 


a ^ FTV(t) Aai FVC(C) 


; 




; 


(a = t) :: C 


{a ^ t}(C) 


a ^ (FTV(t) a a e FVC(C) 


; 


t 


; 


(T = a) ::C 


{a t}(C) 


a ^ FTV(t) a a ^ FVC(C) 


; 




; 


(T = a)::C 


{a t}(C) 


a ^ FTV(t) Aae FVC(C) 


; 


t 


; 


((Ti ^- T2) 


((Ti = T3) 


None 






t 


= (t3^T4))::C 


:: (T2 - T4) :: C) 











Table 1 : Properties of the termination measure components on the recursive call 



decreased, respectively. We might have used finite sets here (for counting the unique free variables of a 
constraint list), but we used lists because of our familiarity with the list library. We found the existing 
Coq list library offers excellent support for reasoning about lists in general, and unique lists in particular. 
Coq also provides a library to reason about sets as lists modulo permutation. 

We found the following lemma mentioned in the formalization of Sudoku puzzles by Laurent Thery 
II24I very useful in our termination proofs. 

Lemma 4. 

VZ,Z' : list D, NoDup I NoDup /' List.incI / 1' =^ -.List.incI /' / =^ (List. length /) < (List.length /') 
This lemma nicely relates list inclusion to length. 

4 Verification of tlie Model 

Now we present the proofs of the theorems verifying our model of the idempotent MGU axioms. The 
underlying theme in almost all of the proofs presented below is the use of the functional induction tactic 
|[5l in Coq. This tactic is available to us because we have specified first-order unification in a functional 
style rather than the relational style. The functional induction technique generates an induction princi- 
ple for definitions defined using the Function keyword. Given a general recursive algorithm known to 
terminate (termination requires a separate proof), the induction principle generated for that particular 
algorithm allows a symbolic unfolding of the computation with induction hypotheses for all recursive 
calls. This technique is featured in other theorem provers and was pioneered in Nqthm by Boyer and 
Moore lITOl . 

Functional induction is obviously stronger than the normal list induction, it closely follows the syntax 
of the definition and tends to generate induction hypotheses of exactly the right form needed. The actual 
induction principle is available in [16]. The induction principle for the unification algorithm itself is 
rather long because of the number of cases involved; there are five cases - three of which have three 
sub-cases each. 

In the next few sections, we present the formal statements of the most important lemmas involved in 
the proofs of each of the axioms. For many of these lemmas, we describe the main technique involved 
in the proofs. Due to limitations on space, lemmas stated without comment on their proofs should be 
assumed to follow by structural induction on a constraint list or type. 



30 A Machine Checked Model of Idempotent MGU Axioms For Lists of Equatioml Constraints 

4.1 Axiom i 

Lemma 5. Va. VC. Va. Vt. o \={ah^ t^}{C) =^ ({« i-^ rjoa) ^ C 
Theorem 2. VC. Va. unify(C) = a ^ a |= C 

Proof. Choose an arbitrary C. By functional induction on unify C, there aie two main cases: 
Case C = [ ]. Follows trivially since any substitution satisfies an empty constraint list. 
Case C / [ ] . We consider the various cases based on the constraint at the head of the constraint list. 

1. Case (a = a) ::€'. This case follows from the induction hypothesis. 

2. Case (a = j3) :: C and a / j3. The reasoning is similar to case 3 below. 

3. Case (a = Zi ^ T2) :: C and a ^ FTV(ti — ^ T2). We know unify({a 1-^ Ti T2}(C')) = a' 
and the induction hypothesis is 

Va. unify({a i-)- Ti T2}(C')) = a =^ a |= {a h> Ti — ;> ■T2}{C'). 
We have to show 

Va.a = ({a 1-^ Ti — ^ Tj} o a') ^ a \= {a = Zi ^ T2) '■■ C . Pick an arbitrary a. Assume 
a = {a I-)- Ti — ;> T2} o a'. We must show {{a ^ Z\ ^ T2} ° c') |= (a = Ti — ;> T2) :: C. 
Since we know unify({a 1— Ti — T2}(C)) = a', so by the induction hypothesis we know 
a' 1= {a I-)- Ti — ;> '^2}(C'). We must show {{a H> Ti T2} o a') \= {a = Z\_ ^ T2) :: C. By 
the definition of satisfiability, we must show: 

(a) ({a iH> Ti T2} o a') |= (a = Ti T2). 

By Theorem[T]and the definition of satisfiability, we must show a'({a 1— Ti — T2}(«)) 
= a'({a i-> Ti — ^ T2}(ti — ^ 12))- Since we know a ^ FTV(ti — ^ T2), so {a 1-^ Ti — ^ 
'Z^zK'^i — ^ '^^2) = '^\ ^ '^2 and the proof follows. 

(b) ({tth^ Ti ^ T2}oa') |=C'. 

Since we know o' \= {a ^ Xi ^ T2}(C'), so by Lemma|5]we know {{a 1— )• Ti — )• T2} o 
a') ^ C' as was to be shown. 

4. Case (ti — > T2 = «) - C and a ^ FTV(ti — ^ T2)- Same as case 3 above. 

5. Case (Ti — )■ T2 = I's — ^ T4) :: C The induction hypothesis is 

Va. unify((Ti = T3) :: (T2 = T4) :: C) = a =^ a |= ((ti = T3) :: (T2 = T4) :: C'). 
We have to show 

Va'. unify((Ti = T3) :: (T2 = ^4) :: C) = a' ^ a' |= ((ti — ;> T2 = T3 T4) :: C). 

Pick an arbitrary a' and assume unify = T3) :: (T2 = T4) :: C) = a'. Since we know 

unify ((ti =13) :: (12 = 14) :: C) = a', so by the induction hypothesis we know 

o' 1= ((ti = T3) :: (t2 = T4) :: C). But by the definition of satisfiability, we know 

a'(Ti) = a'(T3), a'(T2) = a'(T4) and a' |= C. 

To show a' 1= ((ti — )• T2 = T3 — )• T4) :: C), we must show: 

(a) o' 1= Ti — T2 = T3 — )• T4. By the definition of satisfiability, we must show 

a'(Ti — > T2) = 0''(t3 — ^ T4). But we assumed a'(Ti) = a'(T3) and a'(T2) = a'(T4), so 
this case holds. 

(b) a' 1= C. But that we already know. 



□ 
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4.2 Axiom ii 

Lemma 6. VC.Va. Va.VT. (a |=C A a ^ FTV(t) A a(a) = a(T)) ^ a |= {a^^ t}(C) 

Proof. By induction on the constraint list C, followed by induction on the structure of the type T. □ 

Theorem 3. VC. Va.Va'. (unify(C) = a A a' ^ C) ^ 3a". a' « a o a" 

Proof. Choose an arbitrary constraint list C. By the definition of extensional equality on finite maps, we 
must show Va.Va'. (unify(C) = a A a' |=C) ^ 3a". Va. a'(a) = (aoa")(a). 
By functional induction on unify(C), there are two main cases: 

Case C = [ ]. Choose an arbitrary a and a'. Assume unify([ ]) = a and a' ^ [ ]. By the definition 
of unify, we know a = Ge- So we must show 3a".Voi.a'(a) = (aEoa")(a). Let a' be the 
witness for a" in 3a".Va.a'(a) = (aEoa")(a). Choose an arbitrary a. Then we must show 
a'(a) = (aEoa')(a). But by Theorem[T] we have (aEoa')(a) = a'(aE(o;)). So we must show 
a'(aE(o;)) = a' (a). But that follows since aE(a) = a. 

Case C / [ ] . We consider the various cases based on the constraint at the head of the constraint list: 

1. Case (a = a) :: C'. Apply the induction hypothesis and then this case is trivial. 

2. Case (a = j3) :: C' and o; / j3. Reasoning is similar to case 3 below. 

3. Case (a = Ti T2) :: C and a ^ FTV(ti T2)- We know unify({a i-> Ti T2}(C')) = Oi 
and the induction hypothesis is 

Va. Va'. (unify({a ^ Zi T2}(C')) = a A a' ^ ({a Ti T2}(C'))) 

3a". Va'. a'(a') = (ao a")(a'). 
We must show 

Vap. Va2. Gp = {{a h> Ti — ;> T2} o ai) A a2 1= ((a = Ti — Ti) '■■ C) 

3a3. Va". a2(a") = (apoa3)(a"). 
Pick an arbitrary Op and a2. 

Assume Op = {a 1— )■ Ti — )• T2} o oi and a2 \= ((a = Ti — > T2) :: C). We must show 
3a3. Va". a2(a") = (({a Ti T2} o (^i) ° o-3)(a"). Since a2 |= ((a = Ti T2) :: C) 
so, by the definition of constraint satisfiability, we know a2(a) = a2(Ti — >• T2) and a2 |= C. 
Then, by Lemma [6] and by our assumptions, we know a2 |= ({a 1— )• Ti — )• T2}(C')). Since 
we also know unify({a 1— )• Ti — )• T2}(C')) = 0\, so, by the induction hypothesis, we know 
3a". Va'. a2(a') = (ai o a")(a'). We assume Va'. a2(a') = (ai o a4)(a'), where 04 is 
fresh. Then, to show 3a3.Va".a2(a") = (({a ^ Zi T2} o ai) o a3)(a"), we choose the 
witness 04 and show Va".a2(a") = (({a H> Ti — )- T2} o ai) o a4)(a"). Pick an arbitrary a" 
and show a2(a") = (({a 1— )• Ti — )• T2} o ai) o a4)(a"). By Theorem[T| we must show 
a2(a") = a4(ai({a 1-^ Ti — ^ T2}(«")). There are two cases to consider: 

(a) Case a 7^ a". Then we must show a2(a") = a4(ai (a")). But that follows our assump- 
tions and Theorem [T] 

(b) Case a = a". Then we must show a2(a) = a4(ai(Ti — )• T2)). Since we know 

a2(a) = a2(Ti — ;> T2), so we must show a2(Ti — > T2) = 0'4(o'i(fi — > ^^i))- But that 
follows from our assumptions and Lemma [T] and Theorem [T] 

4. Case (ti — )■ T2 = a) :: C and a ^ FTV(ti — T2). Same as case 3 above. 

5. Case (ti T2 = "C^ ^ T4) :: C. Apply the induction hypothesis and then this case is trivial. 

□ 
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4.3 Axiom iii 

Lemma 7. Va, a'. Vr.Va. a' G dom_subst({a t} o a) 

a' G dom_subst({a t}) V a' G dom_subst((7) 

Lemma 8. Va,a'.VT.Va. (a ^ FTV(t) A a' g range_subst({a i-> z}oa)) =^ 
a' G range_subst({a i-^ t}) V a' G range_subst(a) 

Without going into the details, the following lemma helps us in proving Lemma[8] Note that the definition 
of o contains references to higher order functions M.map2 and this lemma helps in not having to reason 
about M.map2 function but instead we use Theorem[T]to reason about substitution composition. 

Lemma 9. Va.Va. a G range_subst(a) 4^ 3a'. a' G dom_subst(a) A a G FTV((T(a')) 

Lemma 10. Va,a'. Vt. VC. (a' ^ FTV(t) Aa' G FTV({a ^ t}(C))) ^ a' g FTV(C). 

Lemma 11. VC. Va. unify(C) = a ^ dom_subst(a) C FTV(C) 

Proof. By functional induction on un ify(C) andLemma|7] □ 

We focus on the proof of the most involved lemma. 

Lemma 12. VC. Va. unify(C) = a ^ range_subst(a) C FTV(C) 

Proof. Choose an arbitrary C. Unfolding the definition of C, we must show 

Va. unify(C) = a =^ Va'. a' G range_subst(a) =^ a' G FTV(C). By functional induction on unify(C), 
there are two main cases: 

Case C = [ ]. Then, by the definition of unify, we know a = (Je- So we must show 

range_subst(aE) ^ FTV([ ]). The proof follows from the definition of range_subst and the defini- 
tion of FTV. 

Case C / [ ]. We consider the various cases based on the constraint at the head of the constraint list: 

1. Case (a = a) :: C. The induction hypothesis is: 

Va. unify(C') = a ^ Va".a" G range_subst(a) ^ a" G FTV(C') 
and we must show 

Va. unify(C') = a ^ Va'.a' G range_subst(a) ^ a' G FTV((a = a) :: C). 

Pick an arbitrary a and assume unify(C') = a. Pick an arbitrary a'. 

Assume a' G range_subst(a) and show a' G FTV((a = a) :: C). 

Since we know unify(C') = a, so, by the induction hypothesis, we know 

Va". a" G range_subst(a) =^> a" G FTV(C'). Since we also know a' G range_subst(a), so 

we know a' G FTV(C'). That also means a' G FTV((a = a) :: C') as was to be shown. 

2. Case (a = j8) :: C and oc ^ 15. Reasoning is similar to case 3 below. 

3. Case (a = Ti — ^ T2) :: C and a ^ FTV(ti — )- T2). We know unify({a i-)- Ti T2}(C')) = ai, 
and the induction hypothesis is 

Va'. unify({a i-> Ti '^2}(C')) = a' ^ 

Va'.a' G range_subst(a') =^ a' G FTV({a ^ Ti ^ T2}(C')). 
We must show 

Va".a" G range_subst({a 1-^ Ti T2}oO'i) =^ a" G FTV((a = Ti — > T2) C). 

Pick an arbitrary a" and assume a" G range_subst({a i-> Ti — ^ T2} o ai). We must show 

a" G FTV({a = Ti — ;> T2} :: C). There are two cases: 
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(a) Case a" = a. Then clearly a" £ FTV({a = Ti — ^ T2}(C")) as was to be shown. 

(b) Case a" a. Then we have two cases: 

i. a" G FTV(ti T2). Then clearly a" G FTV({a = Ti T2} :: C) as was to be 
shown. 

ii. a" ^ FTV(ti — > Tj)- Then we must show a" G FTV(C'). Since we know 
unify({a I— Ti — T2}(C')) = ai, so by the induction hypothesis we know 
Va'.a' G range_subst(ai) =^ a' G FTV({a H> Ti T2}(C')). 

Since a" G range_subst({a 1— Ti — T2} o oi) so, by Lemma [sj we know either 
a" G range_subst({a 1— Ti — T2}) or a" G range_subst(ai). Again, there are two 
cases: 

A. Case a" G range_subst({a H> Ti — ;> T2}). Then a" G FTV(ti — )- T2) - a contra- 
diction. 

B. Case a" G range_subst(ai). Then from the induction hypothesis we know 

a" G FTV({a ^ Ti ^ '^2}(C'))- Then by Lemma[To| a" G FTV(C') as was to 
be shown. 

4. Case (ti — )■ T2 = Of) :: C and a ^ FTV(ti — T2). Same as case 3 above. 

5. Case (ti — )• T2 = T3 — )■ T4) :: C. Apply the induction hypothesis and then this case is trivial. 

□ 

Theorem 4. VC. Va. unifyC = a ^ FTV(a) C FTV(C) 

Proof. By the definition of FTV and by Lemma [TT] and Lemma 12 □ 



4.4 Axiom iv 

This axiom requires the notion of subterms, which we define below: 
subterms(a) [ ] 

def 

subterms(Ti — )- T2) = Ti :: T2 :: (subterms Ti) ++ (subterms T2) 

Then we can define what it means to for a term to be contained in another term. 
Lemma 13. Vt,t'. t G subterms(T') =^ Vt". z" G subterms(T) =^ x" G subterms(T') 
A somewhat related lemma is used to show weU foundedness of types. 
Lemma 14. Vt. -■ T G subterms(T) 



Proof. By induction on the structure of the type T and by Lemma 13 □ 



The following obvious but powerful lemma helps in proving the axiom: 
Lemma 15. Va. Va. Vt. a G subterms(T) =^ a(a) / a{x) 

Proof. By induction on the structure of the type T and by Lemma [14] □ 
Lemma 16. Va. Va. Vti,T2. a G FTV(ti) Va G FTV(t2) =^ a g subterms(Ti — ;> T2) 
Proof. By induction on Ti, followed by induction on T2. □ 
A corollary from the above two gives us the required lemma. 
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Corollary 1. Va.Va.VTi,T2-a e FTV(ti) Va G FTV(t2) =^ a(a) 7^ a{zi T2) 



Proof. By Lemma 15 and 16 □ 



This is the only theorem where the failure cases are interesting. So in the following theorem we carry 
along the constructor that shows success or failure of unify function call. 

Theorem 5. VC. Va. a |= C ^ 3o'. unify(C) = Some a' 

Proof. Choose an arbitrary C and a. By functional induction on unify(C), there ai^e two main cases: 

Case C = [ ]. Assume a |= [ ]. Then we must show 3a'. unify([ ]) = Some a'. Let Ge be the witness for 
a' in 3a'. unify([ ]) = Some a'. So we must show unify [ ] = Some Oe but that follows from the 
definition of unify. 

Case C 7^ [ ]. We consider the various cases based on the constraint at the head of the constraint list: 

1. Case (a = a) :: C. Apply the induction hypothesis and then this case is trivial. 

2. Case [a = j3) :: C and cc p. Reasoning is similar to case 3 below. 

3. Case (a = Ti — ;> T2) '■■ C and a ^ FTV(ti — )• T2). We know 
unify({a I— )• Ti — T2]{C')) = None and the induction hypothesis is: 

a' 1= {{a i2]{C')) 3a". unify({a ^ Zi T2KC')) = Some a". 

We must show 

a' 1= ((a = Ti — ;> T2) :: C) =^ 3as. None = Some (73. 

Assume a' \= ((a = Ti T2) :: C), i.e., o'{a) = a'(Ti — ^ T2) and o' |= C. 

We must show 3ot,. None = Some Oj,. By Lemma[6]and by our assumptions, we know 

o' 1= ({a Ti — )• T2}(C")). So, by the induction hypothesis, we know 3a". None = Some a". 

Since we know 3o" . None = Some a", so assume None = Some a'" , where o'" is fresh, but 

that is a contradiction and so this case holds. 

4. Case (a = Ti — ;> T2) :: C and a G FTV(ti T2)- 

Then, we must show o' |= ((a = Ti — )• T2) :: C) =^ Bas.None = Some as. 

Assume a' |= ((a = Ti — )• T2) :: C), /.e., o'{a) = a'(Ti — ;> T2) and a' ^ C. Since we know 

a £ FTV(ti — ^ T2), /.e, either a G FTV(ti) or a g FTV(t2), so by Corollary [T] 

o'{a) 7^ a'(Ti — )■ T2), which is a contradiction. Thus the proof follows trivially. 

5. Case (ti T2 = a) :: C and a ^ FTV(ti — > T2)- Similar to case 3. 

6. Case (ti — ;> T2 = a) :: C and a G FTV(ti T2)- Similar to case 4. 

7. Case (Ti — ^ T2 = f 3 — ^4) - C. Apply the induction hypothesis and then this case is trivial. 

□ 



4.5 Axiom v 

The following lemmas are needed for the main proof, the first two follow by induction on the structure 
of the type z and the third by induction on C. 

Lemma 17. Va. Va. Vt. a i FTV(t) Aa i FTV(a) ^ a ^ FTV (a(T)) 
Lemma 18. Va. Vt,t'. a ^ FTV(t) =^ {a i-> = t 
Lemma 19. Va. Vt. VC. a ^ FTV(t) ^ a ^ FTV({a ^ t}(C)) 
The theorem we must prove is: 
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Theorem 6. VC. Va. unify(C) = a =^ {a o a) ^ a. 

Proof. Pick an arbitrary C. Unfolding the definition of ^, and by Theorem[T] we must show: 

V(7. unify(C) = a =^> Va. a(a(a)) = (j{a). 

By functional induction on unify C, there are two main cases: 

Case C = [ ]. This case follows since Va. (Je{gc) = cc. 

Case C 7^ [ ]. We consider the various cases based on the constraint at the head of the constraint list: 

1. Case (a = a) :: C'. Apply the induction hypothesis and then this case is trivial. 

2. Case (a = j8) :: C. Reasoning is similar to case 3 below. 

3. Case (a = Ti T2) " C and a ^ FTV(ti 12)- We know unify ({a 1-^ Ti TiKC')) = a 
and the induction hypothesis is: 

Va'.unify {a ^ Ti ^ T2}(C') = a' ^ Va'.a'(a') = a'(a'(a')) 
And we must show: 

a({a Ti ^ T2}(a")) = (a({a ^xi^ T2}(a({a ^r^^ T2}(a"))))). 
There are two cases: 

(a) Case a = a". Then we must show a(Ti — > T2) = cj({a i-> Ti — > T2}(a(Ti — > ^2))). From 
Lemma 19 and Theorem|4j we know that a ^ FTV(a). Since a ^ FTV(ti — )• T2) and 



a ^ FTV(a), so by Lemma [T7| a ^ FTV(a(Ti — )- T2)). By Lemma [18] (choosing z' to 
be Ti — )• T2)> we get a(Ti — )■ T2) = {a 1— )• Ti — )• T2}(<7(ti — T2)). So now we must show 
c7(ti — )■ T2) = o{a{zi T2)). Then, by Lemma[T| we must show Vj8. a(j8) = a(a(j8)) 
. Choose an arbitrary j8 and show a(j8) = a(a(j8)), but that follows from the induction 
hypothesis (by choosing a' to be a and a' to be j3) and our assumptions, 
(b) Case a / a". Then we must show a(a") = a({a 1-^ Ti — ^ T2}(a(a"))). From Lemma 
T9]and Theor em [4{ we know that a ^ FTV(a). Since a ^ FTV(a") and a ^ FTV(a), 

- I , _l , . , / , //\ \ - I . .-. I . . I ^ 



so by Lemma [T7| a ^ FTV((7(a")). By Lemma 18 and using t' to be Ti — )• T2 we get 
a{a") = ({a Ti — )- T2}(a(a"))). So now we must show a{a") = a(a(a")), but 
that follows from the induction hypothesis (by choosing a' to be a and a' to be a") and 
our assumptions. 

4. Case (ti — ;> T2 = a) :: C' and a ^ FTV(ti — )• T2). Same as Case 3. 

5. Case (ti — )■ T2 = I's — ^ ^4) :: C. Apply the induction hypothesis and then this case is trivial. 

□ 

4.6 Axiom vi 

The theorem we must prove is: 
Theorem 7. Va. unify [ ] = a =^ cj = aE 

Proof. Choose an arbitrary a. Assume unify [ ] = a. Unfold the definition of unify. Then we know 
a = aE as was to be shown. □ 

4.7 Axiom vii 

The main proof requires a lemma, which we mention next. 

Lemma 20. VC,C'. Va. Vt. {a ^ t}(C) ++ {a ^ t}(C) = {a^ t}(C ++ C) 
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The theorem we must prove is: 

Theorem 8. VC,C2. Va',a",a'". (unify(C) = a' A unify(a'(C2)) = o" A unify(C ++ C2) = o'") 
^ a'" ^ [a'oa") 

Proof. Pick an arbitrary C. By Theorem[T]and unfolding the definition of w, we must show: 
VC2. Va',a",a'". (unify(C) = a' A unify(a'(C2)) = a" A unify(C++C2) = a'") 

^Va'.a'"(a') = a"(a'(a')). 
By functional induction on unify(C), there are two main cases: 

Case C = [ ]. Follows from Theorem|7]and the assumptions. 

Case C 7^ [ ]. Consider the various cases based on the constraint at the head of the constraint list. 

1. Case (a = a) :: C. This case follows from the induction hypothesis and the definition of 
append. 

2. Case (a = j3) :: C' and a 7^ /3. Similar to case 3 below. 

3. Case (a = Ti T2) '■■ C and a ^ FTV(ti — > 12)- We know unify({a i-> Ti T2}(C')) = CJ. 
The induction hypothesis is: 

VCi. \/Oi, 02,03. 

(unify({a H> Ti T2}(C')) = 0\ A 
unify(ai(Ci)) = 02 A 
unify(({a ^ Ti ^ T2}(C'))++Ci) = O3) 
^ya" . 03ia") = 02{oi{a")). 
We must show: 
VC2. Va',a",a'". 

({a 1-^ Ti T2} o a = o'a 
unify(a'(C2)) = o"A 
unify(((a = Ti ^ T2) :: C')++C2) = o'") 
^ya'.o"'{a') = o"{o'{a')). 
Pick an arbitrary €2,0' , o" and a'". Assume {a 1— )■ Ti — T2} o (j = cr' and 
unify(a'(C2)) = o" and unify(((a = Tj ^ T2) :: C')++C2) = a'". By the definition of ap- 
pend, the last assumption is unify((a = Ti — ^ T2) (C++C2)) = o'". 
Unfolding the unify definition once, we know unify({a 1-^ Ti — ^ '^2}{C' ++ C2)) = Or, 
where o'" = {a 1— )■ Ti — )• T2} ° (^t- Also, since a' = {a 1— Ti — T2} o o, so we know 
unify(({a 1-^ Ti T2} o a)(C2)) = a". Since we know o'" = {a H> Ti — )• T2} o O'r, so 
we must show Va'. ({a i-> Ti T2} o OT){a') = cT"(({a 1-^ Ti ^ T2} o o){a')). Pick an 
arbitrary a'. By Theorem[T] we must show 

Oriia I-)- Ti — ;> T2}(a')) = o"{o{{a h> Ti — ;> T2}(a'))). There are two cases: 

(a) Case a = a'. Then we must show Ori'Ci — > T2) = o"{o{Zi — )• T2))- But by Lemma[T| 
we must show Va'". Ot{oc"') = o"{o{a"')). Pick an arbitrary a'" and so we must show 
Ot{cc"') = o" {o{a"')). But that follows from the induction hypothesis (by choosing C\ 
to be {a I— )• Ti — )• T2}(C2), CJi to be a, O2 to be o" and 03 to be Ot) and the definition 
of substitution composition and Lemma [20] and the assumptions. 

(b) Case a / a'. Then we must show Ojia.') = o"{o{a')). But that follows from the 
induction hypothesis (by choosing C\ to be {a 1— Ti — T2}(C2), cJi to be o, 02 to be o" 



and O3 to be Oj) and the definition of substitution composition and Lemma 20 and the 
assumptions. 
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4. Case (ti — T2 = a) :: C and a ^ FTV(ti — )• T2). Same as the above case. 

5. Case (ti — )• T2 = T3 — )• T4) :: C. Apply the induction hypothesis. 

□ 

5 Related Work and Conclusions 

Unification is fundamentally used in type inference. There are formalizations of the unification algorithm 
in a number of different theorem provers |'8l|2Tl|22l. We comment on the implementation in the CoLoR 
library CoLoR is an extensive and very successful library supporting reasoning about termination 
and rewriting. A Coq implementation of the unification algorithm was recently released JH. Our im- 
plementation differs from theirs in a number of ways. Perhaps the most significant difference is that we 
represent substitutions as finite maps, whereas in CoLoR the substitutions are represented by functions 
from type variables to a generalized term structure. The axioms verified here are not explicitly verified in 
CoLoR, however their library could serve as a basis for doing so. We believe that the lemmas supporting 
our verification could be translated into their more general framework but that the proofs would be signif- 
icantly different because we use functional induction which follows the structure of our algorithm. The 
unification algorithm in CoLoR is specified in a significantly different style (as an iterated step function). 

Though many lemmas were simple, many others required generalization in order for the proof to 
go through. Our choice of finite maps library to represent substitutions helped us significantly. Coq's 
finite maps library is expressive enough to specify complicated definitions (substitution composition, 
range elements) yet the reasoning with them is simple if we abstract away from the actual definition 
and look at the extensional behavior instead. Since we used an interface, we could not really argue 
about the normal substitution equality. Our specification of unification was in a functional style but the 
definition was general recursive. This meant that we had to show the termination using a well-founded 
ordering. Once termination was established, the functional induction tactic helped us immensely 
in reasoning about the first-order unification algorithm. 

The entire formalization (all seven axioms) is done in Coq 8.1.pl3 version in around 5000 lines of 
specifications and tactics, and is available online at http : //www . cs . uwyo . edu7~skothari 

We would like to thank Santiago Zanella (INRIA - Sophia Antipolis) for showing us how to encode 
lexicographic ordering for 3-tuples in Coq. We thank Frederic Blanqui for answering our queries regard- 
ing the new release of CoLoR library, Laurent Thery for making his Coq formulation of Sudoku |[24l 
available on the web, Stephane Lescuyer and other Coq-club members for answering our queries on the 
Coq-club mailing list, and Christian Urban (TU Munich) for discussing at length the MGU axioms used 
in their verification of Algorithm W [25 1. Finally, we want to thank anonymous referees for their detailed 
comments and suggestions (on an earlier draft of this paper), which greatly improved the presentation of 
this paper. 
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